Netfilter / nftables interval set regression introduced in Linux 4.19.0-27-amd64 / 4.19.316-1?
Hi,
With the following linux-image packages installed:
linux-image-4.19.0-21-amd64/oldoldstable,now 4.19.249-2 amd64 [installed,auto-removable]
linux-image-4.19.0-26-amd64/oldoldstable,now 4.19.304-1 amd64 [installed]
linux-image-4.19.0-27-amd64/oldoldstable,now 4.19.316-1 amd64 [installed,automatic]
linux-image-amd64/oldoldstable,now 4.19+105+deb10u22 amd64 [installed]
(& nftables/oldoldstable,now 0.9.0-2 amd64 [installed])
when booted in to -21 or -26, this command completes successfully:
# nft add set ip filter demo { type ipv4_addr \; flags interval \; elements = { 1.1.1.1, 1.1.1.2 } }
But, when booted in to -27, it errors with:
Error: Could not process rule: Directory not empty
add set ip filter demo { type ipv4_addr ; flags interval ; elements = { 1.1.1.1, 1.1.1.2 } }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The following short script reliably reproduces the issue when executed as root:
-=-
nft flush ruleset
nft add table ip filter
nft add set ip filter demo { type ipv4_addr \; flags interval \; elements = { 1.1.1.1, 1.1.1.2 } }
nft list ruleset
-=-
I observe that:
* Without 'flags interval', the set loads successfully.
* If the two elements are not adjacent, the set loads successfully. (eg 'elements = { 1.1.1.1, 1.1.1.3 }' )
with thanks,
Graham
Reply to: